Law enforcement agencies: We need to talk about encryption
Law enforcement agencies continue their fight against encryption, and are seeking new ways to work with private companies in order to catch criminals and terrorists.
Law enforcement agencies: We need to talk about encryption
Speaking at the Infosecurity Europe conference in London yesterday, experts from the FBI, the National Crime Agency (NCA), Europol and academia spoke at length on criminal behaviour, attack attribution and the need for international collaboration, as well as the difficulties posed by encryption.
Wil Van Gemert, acting head of Europol's EC3, kicked things off on encryption halfway through the talk by saying that "the balance isn't right" with encryption and law enforcement, and the subject loomed large into view later when brought up again by moderator, BH Consulting CEO Brian Honan.
Professor Alan Woodward, a Europol advisor and visiting professor of the Surrey Centre of Cyber Security at the University of Surrey, said: “I am great supporter of encryption because it's out there and you're not going to un-invent it.”
Citing the introduction of the RIPA law in 2000 and the crypto wars of the 1990s, he sympathised with desires to have access to encrypted traffic, equating it to leaving the key under the door mat for police, only to find out criminals know it's there too. Worse still, the door keys you really want aren't even been left under the mat.
On encryption, he said: “I don't think you can uninvent it…if you can weaken it, you weaken it for your friends as well as your enemies, if you put backdoors in, people like me are going to be out there fiddling with it and we'll find the backdoor as well as anybody else.”
“However, I do totally agree with the principle, I think it was said by the Prime Minister of the UK, that we don't want places where extremists or criminals can have conservations that we can't listen to. It means the industry has to cooperate with government.”
For example, Woodward said that WhatsApp's use of end-to-end encryption would a “real problem” for law enforcement, so he instead suggested that law enforcement should be able to serve a warrant to a service provider, so to intercept certain messages - so long as this was approved by law and the firm's security architecture allowed for this to happen.
Intercepting the message on its way to the recipient, said the professor, would be a “far more sensible and practical way of doing it.”
“It doesn't lend itself to mass surveillance, it's very much targeted surveillance, and it gets around the encryption argument," he continued. "You can still encrypt, but you just can get the point where it is visible,” he said.
Andy Archibald, deputy director of the National Crime Agency's National Cyber Crime Unit, agreed.
“Law enforcement does not want mass surveillance, that high volume of data we have no interest in, it causes us problems because we've got to make sense of it, we've got to find what we're looking for, and to deal responsibly with issues around collateral intrusions.
“I think a narrative has to be developed, from a law enforcement perspective, that reassures the public. I think there's this sense of Big Brother monitoring what is happening with us [as the public] and we're all nervous around that.”
He did continue, however, that law enforcement has had intrusion capabilities for many years and have – bar the odd occasion where information has been lost publicly – done this interception in a “responsible” manner.
“I think the challenge around encryption, and the scale, the scope and the challenge of getting into communications of criminals, does present a real challenge. But we don't want mass surveillance, it doesn't suit law enforcement.”
Instead, like Woodward, he urged for targeted surveillance, where law enforcement could co-operate with private industry when dealing with someone known to have "clearly engaged in serious organised criminality'. He did however realise that the current debate over encryption and privacy was an “emotional topic” that would have to see law enforcement speak to the public about what it could do, and what checks and balances were in place.
“We in law enforcement have to work with the public, frankly, to help understand that we can do this responsibly, it's not about mass surveillance, and that it's managed, overseen and supervised in way that gives the public reassurance.
FBI assistant legal attache Michael Driscoll said: “We can't deny [encryption] is not going to go away, it's a useful tool, I use it on my daily transactions.” However, he pointed to Bitcoin and other virtual currencies and said these make it difficult for law enforcement to track the money, such as where it originates and where it goes to.
But he warned: “But on other side of coin, we have to recognise that the serious threats we're concerned about come with encryption. We have to work with private sector to really address those threats.”
He warned too that encryption was used by nefarious actors: “Every time something new is invented on the internet related to security or secrecy, the first group that gets on the web with that, almost every time? Child exploitation.”
“Those are my concerns, can't close completely, shut us out completely, otherwise who else takes advantages of businesses, organisations and the world live in.”
He added that you can't be secure on Internet today, all you can do is simply take as many precautions as possible. Both the FBI and EC3 urged for greater agency collaboration, while Archibald said firms should be thinking about engagement with staff, their awareness of online threats, what data they want to protect, what training is being done and how they inform people when incidents invariably occur.
Interestingly, he said that the agency was now in the process of having ‘more mature' conversations with breach victims, so they can report incidents without fearing a negative response in the media and on stock prices.
In related news, Apple CEO Tim Cook this week warned the US government to not implement backdoors in software, while also blaming Google and Facebook for hoarding too much user data.